Overview

Social engineering is a psychological manipulation tactic used by cybercriminals to trick individuals into disclosing confidential information, sending money, or compromising security systems. Instead of just exploiting the software, the threat actors is targeting the human psychology of the victim, they try to play with your emotions until you follow their instructions and fall into its trap. That statement is also the same as when you want to conquer a kingdom, you don't have to bring a thousand troops to defeat your enemy, instead you can just befriend of the enemy's king and stab him in the back, no bigger casualties and resources necessary, that is also explain the social engineering.

The reason why i want to bring this up is because the cybersecurity awareness in Indonesia is still low and so its cybersecurity defenses, the data of Indonesian's citizen has been leaked everywhere into the darknet, so that means that my personal data, your personal data, and every person you know might already been known by the anonymous, and that data can be a tool to do social engineering. So what can we do about it if our data already leaked? you have to be more extra careful of what you will encounter on the internet and try not to fall into its hole is the best thing you can do, you are the first line of defense. But how can you do that? Well, we will talk about it in this blog.

The story that I am about to tell you is from the real-life account of my close relative who encountered the social engineering.

The Attack

It all started when my relative got a call from unknown number, the call got through WhatsApp, she answer it. The respond was the person claiming that they are from Civil Registration Office (Disdukcapil) and notifies my relative that she did not yet make an E-KTP (electronic ID) and requires to do so by Installing an app in the matter of completing the electronic ID. My relative do so, and after a long process, her bank account value is found out to be zero right after the process ended.

So that's the short form of the story, but we might want to know more detail of how such things like this can fall for anybody including the one who already aware of this kind of fraud.

Breaking it Down

The first thing to know is that there are actually 2 calls occurs from this incident, both claiming to be from Civil Registration Office, the first caller call out my relative's PII (NIK, birth date, address, and so on) the threat actor tried to gain her trust by calling out these PII to prove that they are really from the Civil Registration, in reality these data can be accessible from the darknet, because again the citizen's data of Indonesian republic is already leaked, its possible that the threat actors is identifying her through the phone number that linked to NIK (National ID Number). So my relative just acknowledge that and the first caller said that there will be a second call in 10 minutes.

The second call did happened, my relative answer it and this is how the attacker will show its social engineering skills. The second caller also came from WhatsApp, the caller have a profile picture with batik clothing (usual clothe that the Indonesian's civil servant wear) and lanyard, all this is to gain the trust of victim that it's really from the officials, its WhatsApp profile also have a full name of the attacker (obviously fake) with a bachelor's degree to really prove that he is legit. He is start by introducing himself and calling out my relative's PII again on purpose to verify her identity and prove his legitimacy.

None
This is the Example Image

After that the attacker start to request my relative to share its screen from WhatsApp caller, he requested it on purpose to guide my relative of how to activate its electronic ID. My relative did so and the attacker guide her to go to chrome (website browser) and enter the domain from the attacker, inside the domain, the website looks legit from the officials and then he instructed her to go to download section of the website, my relative click the button to download and the application is downloading, the format of the file is .apk.

The attacker then instructed her to turn off its security settings that prevent any installation outside Google Play Store, and then the attacker guide her again to turn off its Google Play Protect (security features that detect malware from Google Play) this is all done so the malware application is successfully installed and executed inside the victim's phone.

At this point the malware is already installed on my relative's device, just a step away from executing the application. The attacker then instructed her to click the application. Inside the application there is a login page that requires my relative to enter its email and password, thankfully my relative is choosing different password from the Google account password, if this is really happening, the Google account can be taken over by the attacker too. Then the next page shows to enter its NIK and other information (again, to trick the victim that it is really from the officials).

After that there will be a loading screen says that the data is being processed, the loading is very long. In the meantime, the attacker request my relative to turn on its WhatsApp video call to do some face verification. After the loading screen reach 100% the attacker instruct her to pay the administration fees worth of Rp10.000, my relative open the banking app and enter its verification password and its PIN, but the banking app quickly logs out and have to register again from the start, which is very unusual.

At this point, it is possible that the attacker is already installed a keylog on the device, which can read every PIN or keyboard you entered including sensitive information. The attacker already gain its PIN and also face recognition so that the attacker can access the victim's account from its device.

The call quickly hanged up and it is possible that the victim's phone is completely taken over by the attacker.

Now all the banking application is already blocked out on the phone and the only way to prevent the money flows out from the bank account is to block the bank account by calling the bank's customer services. My relative did so and it is identified that all of the money left on the m-banking is zero.

Aftermath

My relative were really shocked about this and feel terrified, all of the balance on the m-banking is zero. The moment after you realized this is a cold sweat broke out all over the body, knowing that in the matter of second the money just go away like that. Then, my relative confirms the customer service to quickly block the bank account internally so that there will be no transaction made until the recovery of the account.

The trauma is haunting the night at the time of the fraud, you can't feel asleep and remembered all of what you do just to get the balance of zero. The malware application is quickly deleted but she cannot just reset it, since all of the important data has not been yet backed up and she have to do that the next day, because it is already late at night and she have to file a police report.

From this story, we can take the lesson of what to do if you are getting social engineering:

  1. Delete the malware app immediately: If there are applications installed out of nowhere, immediately delete it, this app can be used by the attacker to link its crime action remotely or any other harmful action to your device.
  2. Block your account immediately: If the social engineering is linked to finance, immediately make a call to bank's customer services to block your bank account so there will be no further transaction made by the attacker. You can unblock your account once it is considered safe to do so.
  3. Turn off any connection or enable airplane mode: Airplane mode block all of the incoming connection or signals, to prevent the attacker still connected to your device turn off any connection immediately. You can also turn on your safe mode on the device to prevent any open access from the attacker.
  4. Back up your device: Back up always come first out of all these actions, but if you haven't done that, back up your device before you completely delete or factory reset your device. It is recommended to back up your device offline in action of hardening your device from the attacker.
  5. Factory Reset: There is a chance that there are other malware installed by the attacker, the only most recommended thing you have to do is by factory reset your device to make sure there will be no other malware or spyware existing on your device.

After all of the action above had been done, you can try to recover your affected bank accounts and other sensitive files that may be affected.

This type of social engineering is called impersonation and phishing, which by identified themselves as the officials and urge the person to immediately do some actions. To prevent any kind of this attack in the near future, the awareness you can apply are:

  1. Verify the Source: Always double-check the sender's actual email address, phone number, or profile to ensure it matches the official organization. If in doubt, contact the institution directly using a known, trusted channel (like their official website or customer service number).
  2. Beware of Urgency: Be highly skeptical of messages that create a false sense of urgency, panic, or threaten negative consequences if immediate action is not taken. This is a primary manipulation tactic used to bypass critical thinking.
  3. Inspect Links and Attachments: Hover over hyperlinks to preview the actual destination URL before clicking, looking for subtle misspellings or unusual domains. Never download attachments from unsolicited or unexpected messages.
  4. Protect Sensitive Information: Remember that legitimate officials, banks, or IT administrators will never ask for your passwords, PINs, or One-Time Passwords (OTPs) via email, text message, or phone call.
  5. Enable Multi-Factor Authentication (MFA): Implement MFA on all critical accounts. This adds an essential layer of security, ensuring that even if an attacker successfully phishes your password, they still cannot access the account without the second verification step.

There is a 50/50 chance that the money can be recovered if the attacker has not been yet made another transaction after the money is stolen, meaning that the attacker tries to launder the money by transferring it to someone else or quickly cashing it out. But in order to do recovery and investigation attempt, a police report is required. After some investigation, conducted by the internal bank, it is identified that the money was transferred to different bank, if the report and action is faster before the threat actor launders the money, there is a chance, but in this case it is already too late. So the possibility of getting the money back is ZERO.

"Trust, but verify."

- Ronald Reagan